changeme: A better tool for hunting default creds

Presented at DerbyCon 7.0 Legacy (2017), Sept. 24, 2017, 1 p.m. (25 minutes)

"Default credentials haunt organizations. Whether they're used to gain access or escalate privileges, default credentials lurk in the corners most organizations. To combat this attack, organizations leverage commercial vulnerability scanners. However in my research, most commercial scanners fall short and can leave your organization vulnerable to attack while giving you a false sense of security. This presentation will cover my research into the efficacy of commercial vulnerability scanners to detect default passwords and present my open source tool, changeme (https://github.com/ztgrace/changeme), for improving the detection of default credentials. I'll be releasing version 1.0 of changeme at DerbyCon." Zach has worked in offensive security for the last seven years focusing on securing financial institutions. He is active in the Milwaukee security community in which he helps organize @MilSec, is an OWASP Milwaukee chapter leader and is a member of the Wisconsin Collegiate Cyber Defense Challenge (CCDC) Red Team. He’s also the creator of the open source security projects changeme and Sticky Keys Hunter. @ztgrace

Presenters:

• Zach Grace

Links:

• https://www.derbycon.com/sunday-schedule/#event-234

Similar Presentations:

• Black Hat USA 1999 / 1000 Hackers in a Box: Failings of "Security Scanners"